With more and more vehicle modules having functional, updateable software installed thereon, customers have come to expect that various software on varied modules is kept up to date and functional. Since vehicles do not usually have a persistent network connection, keeping the software updated currently relies on: a) downloaded over-the-air (OTA) updates; b) taking the vehicle to a dealer periodically to update the software; or c) the customer manually installing updates.
As original equipment manufacturers (OEMs) add ever more electronic control units (ECUs) to a vehicle, the desirability of OTA updates grows. OTA updating allows the OEM to control and update a vast array of software on the vehicle, while ensuring compatibility between updates. Because many updates can have an effect on the drivability of the vehicle, the vehicle often processes these updates during key-off states, where the owner is not driving the vehicle. In other models, the vehicle may process updates during key-on states, which allows the vehicle to update software while being driven.
The vehicle can handle a multi-cycle update such that memory in the vehicle is erased and written over multiple key cycles, and only after the whole update is processed does the vehicle use the new software update. Until then, the vehicle continues to use the old, compatible module.
Unfortunately, the nature of these multi-cycle updates provides an opportunity for replay attacks and other malicious interference. A hacker may intercept a command to a vehicle, and attempt, at a later time, to send the command again. Since the vehicle may not have completed processing the command when the vehicle first received the command, the command is technically still a valid command. The vehicle needs to be able to distinguish between valid commands received from an approved source, and replay or other malicious commands received from someone attempting to cause an invalid or unapproved change in software.